In order to respond effectively to a self-propagating malicious code outbreak (e.g. a computer worm), system administrators need to detect and contain the problem quickly before it becomes widespread. Failure to do so can result in untold damage, including system instability, downtime and data loss.
Conventional security event and alerting systems typically receive their data through centralized sources where analysis and response can occur manually or automatically. This centralized model creates a long round trip for an event to be alerted (based on one or many events). More time is then required for the alert to be translated into a reaction to prevent the attack detected (either manually by an operator, or automatically based on defined criteria on how to react to a type of attack).
Furthermore, other existing security event and alerting systems (such as intrusion prevention systems) monitor for security events or alerts only at network gateway egress and ingress points. This presents the problem of missing highly localized network attacks, such as those that happen within a subnet, never traversing the points in which security events are monitored.
Therefore, what is needed is an improved security event and alerting system that shortens the conventional long round trip for an event to go to alert and is able to more easily identify localized attacks.